Free Privacy Policy Generators Compared

Tested prompts for free privacy policy generator compared across 5 leading AI models.

BEST BY JUDGE SCORE Claude Opus 4.7 7/10

You need a privacy policy, you need it today, and you don't want to pay a lawyer hundreds of dollars for a boilerplate document. That's exactly what free privacy policy generators are built for. Whether you just launched a Shopify store, published an app on the App Store, or set up a WordPress blog with a contact form, you're legally required to tell users what data you collect and how you use it. Skipping this isn't a technicality you can ignore.

The problem is that not all generators produce the same quality output. Some spit out generic, barely-edited templates that miss clauses specific to your platform, jurisdiction, or data practices. Others generate surprisingly solid, legally-structured documents if you give them the right inputs. This page compares how four leading AI models handle a standard privacy policy generation prompt so you can see exactly what each one produces before you decide which to use.

What you're looking for in a generated privacy policy: coverage of data collection, storage, third-party sharing, user rights (especially GDPR and CCPA), cookies, and contact information. The comparison below shows you which models nail these requirements and which leave dangerous gaps.

When to use this

Free AI-generated privacy policies are the right call when your project is early-stage, low-revenue, or resource-constrained and you need legal compliance coverage fast. They work best for straightforward data practices where your site or app collects standard information like emails, analytics data, or payment info through established third-party processors.

Launching a SaaS MVP or side project and need a policy live before going public
Running a small e-commerce store that collects email addresses and uses Stripe or PayPal for payments
Publishing a mobile app to the App Store or Google Play, which require a privacy policy URL in the listing
Starting a blog or newsletter with a contact form or embedded analytics like Google Analytics
Running a client's WordPress site as a freelancer and need a starting-point document to hand off for review

When this format breaks down

You operate in a regulated industry such as healthcare (HIPAA), finance (GLBA), or children's services (COPPA) where specialized legal language is required and errors carry serious liability
Your app handles sensitive data categories like health metrics, biometric data, precise location, or financial account credentials that require jurisdiction-specific disclosures beyond what general generators cover
You're selling into enterprise or government contracts where procurement teams will scrutinize your privacy documentation and a generic AI output will fail vendor assessment
Your business is already at scale with significant revenue and user data, where the cost of a data breach or regulatory fine far outweighs the cost of having a qualified privacy attorney draft your policy

The prompt we tested

You are a privacy law writing assistant that generates clear, compliant privacy policies for websites, apps, and SaaS products. Follow these rules strictly:

Write the policy in clear, plain-English sections with H2 headings and short paragraphs or bullet points; cover GDPR, CCPA, and general best practices; and clearly mark any missing details with bracketed placeholders (e.g., [Company Address]) rather than inventing facts. Keep the overall length between 800 and 1,400 words and end with a note that this is a free template and not legal advice.

Use the following business details to draft the privacy policy:

Business name: BrewNotes. We run a free web app at brewnotes.app where coffee enthusiasts log tasting notes. We collect emails for signup, use Google Analytics and Stripe for paid subscriptions, store data on AWS in the US, and have users in the EU and California. Contact email is privacy@brewnotes.app.

Produce a complete, ready-to-publish privacy policy with clearly labeled sections (Introduction, Information We Collect, How We Use Information, Cookies and Tracking, Third-Party Services, Data Sharing, Data Retention, User Rights (GDPR/CCPA), Children's Privacy, International Transfers, Security, Changes to This Policy, and Contact Us). Use plain, professional English and insert bracketed placeholders like [Company Name] or [Effective Date] wherever the user did not provide specifics.

Model comparison

Model	Quality	Cost	Latency	Tokens
Claude Opus 4.7	7	$0.1610	28.1s	492 / 2048
GPT-5.4	7	$0.0314	36.3s	292 / 2048
Gemini 2.5 Pro	3	$0.0012	19.3s	298 / 170

Outputs

Claude Opus 4.7 7/10

# BrewNotes Privacy Policy

**Effective Date:** [Effective Date]
**Last Updated:** [Last Updated Date]

## Introduction

Welcome to BrewNotes ("we," "us," or "our"). BrewNotes operates the web application available at [brewnotes.app](https://brewnotes.app) (the "Service"), where coffee enthusiasts can log and share tasting notes.

This Privacy Policy explains what information we collect, how we use it, and the rights you have over your personal data. We are committed to protecting your privacy and complying with applicable data protection laws, including the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as amended by the CPRA.

By using BrewNotes, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

## Information We Collect

We collect only the information necessary to operate and improve BrewNotes.

**Information you provide to us:**
- **Account information:** Your email address when you sign up for a free account.
- **Profile and content:** Tasting notes, ratings, coffee details, and any other content you choose to log in the app.
- **Payment information:** If you subscribe to a paid plan, billing details are collected and processed directly by Stripe. We do not store your full payment card information on our servers.
- **Communications:** Any messages or support requests you send to us.

**Information collected automatically:**
- **Usage data:** Pages visited, features used, session duration, and referring URLs.
- **Device and log data:** IP address, browser type, operating system, and timestamps.
- **Cookies and analytics identifiers:** See the "Cookies and Tracking" section below.

## How We Use Information

We use the information we collect to:
- Create and maintain your account.
- Provide, operate, and improve the Service.
- Process subscription payments via Stripe.
- Send transactional emails (e.g., password resets, receipts, service notices).
- Analyze usage patterns to understand and improve the Service.
- Detect, prevent, and respond to fraud, abuse, and security incidents.
- Comply with legal obligations.

**Legal bases (GDPR):** Where the GDPR applies, we rely on the following legal bases:
- **Contract:** To provide the Service you signed up for.
- **Legitimate interests:** To improve and secure the Service.
- **Consent:** For non-essential cookies and analytics where required.
- **Legal obligation:** To meet regulatory or tax requirements.

## Cookies and Tracking

BrewNotes uses cookies and similar technologies to keep you signed in, remember preferences, and measure usage.

- **Essential cookies:** Required for core functionality (e.g., authentication).
- **Analytics cookies:** We use Google Analytics to understand how visitors use the Service. Google Analytics may set cookies that collect anonymized usage data.
- **Payment cookies:** Stripe may set cookies during checkout to prevent fraud.

You can manage cookies through your browser settings. Where required by law (e.g., in the EU/UK), we request your consent before setting non-essential cookies through our cookie banner.

To opt out of Google Analytics, you can install the [Google Analytics Opt-Out Browser Add-on](https://tools.google.com/dlpage/gaoptout).

## Third-Party Services

We work with trusted third parties that help us operate the Service. These providers only process data on our behalf and under appropriate safeguards:

- **Amazon Web Services (AWS):** Hosting and data storage (United States).
- **Google Analytics:** Website and product analytics.
- **Stripe:** Payment processing for paid subscriptions.
- **[Email Service Provider]:** Transactional email delivery.

Each provider has its own privacy policy, which we encourage you to review.

## Data Sharing

We do **not** sell your personal information.

We share information only in these limited cases:
- **With service providers** listed above, under contracts that restrict how they use your data.
- **For legal reasons**, such as complying with a subpoena, court order, or other legal process, or to protect rights, property, or safety.
- **Business transfers:** If BrewNotes is involved in a merger, acquisition, or asset sale, your information may be transferred, and we will notify you of any change.

Under the CCPA, California residents have the right to know that we have not sold or "shared" (as defined under the CPRA) personal information in the past 12 months.

## Data Retention

We keep personal information only as long as needed for the purposes described in this policy:
- **Account data:** Retained while your account is active.
- **Tasting notes and content:** Retained until you delete them or close your account.
- **Payment records:** Retained for [Retention Period] to comply with tax and accounting obligations.
- **Analytics data:** Retained according to Google Analytics' default retention settings ([Retention Period]).

When you delete your account, we will delete or anonymize your personal data within a reasonable period, except where retention is required by law.

## User Rights (GDPR and CCPA)

Depending on where you live, you may have the following rights:

**If you are in the European Economic Area or the UK (GDPR):**
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion ("right to be forgotten").
- Restrict or object to processing.
- Data portability.
- Withdraw consent at any time.
- Lodge a complaint with your local data protection authority.

**If you are a California resident (CCPA/CPRA):**
- Right to know what categories of personal information we collect and how we use it.
- Right to request access to or deletion of your personal information.
- Right to correct inaccurate information.
- Right to opt out of the "sale" or "sharing" of personal information (note: we do not sell your data).
- Right to limit the use of sensitive personal information.
- Right to non-discrimination for exercising your rights.

To exercise any of these rights, email us at **privacy@brewnotes.app**. We will verify your request and respond within the timeframes required by law. You may also authorize an agent to submit a request on your behalf.

## Children's Privacy

GPT-5.4 7/10

## Introduction

This Privacy Policy explains how BrewNotes ("BrewNotes," "we," "us," or "our") collects, uses, shares, and protects personal information when you use our website and web app at brewnotes.app (the "Service").

BrewNotes is a free web app that allows coffee enthusiasts to log and manage tasting notes. We also offer paid subscriptions processed through Stripe.

This policy is intended to help users understand what information we collect, why we collect it, and what choices and rights users may have under applicable privacy laws, including the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other general privacy best practices.

If you do not agree with this Privacy Policy, please do not use the Service.

**Effective Date:** [Effective Date]
**Business Name:** BrewNotes
**Website:** brewnotes.app

## Information We Collect

We may collect the following categories of information:

### Information You Provide Directly
- **Account information:** email address used to sign up for BrewNotes.
- **User content:** tasting notes, logs, preferences, and other content you choose to enter into the Service.
- **Payment-related information:** if you purchase a paid subscription, payment processing is handled by Stripe. We may receive limited billing information such as subscription status, payment confirmation, and related transaction metadata, but we do not store full payment card details on our own servers.
- **Communications:** information you provide when you contact us at privacy@brewnotes.app or otherwise communicate with us.

### Information Collected Automatically
- **Usage data:** information about how you interact with the Service, such as pages viewed, session activity, features used, approximate location derived from IP address, browser type, device type, operating system, referral URLs, and timestamps.
- **Device and log data:** IP address, browser settings, device identifiers, crash data, and similar technical information.
- **Cookie and analytics data:** information collected through cookies and similar technologies, including through Google Analytics.

### Information from Third Parties
- **Stripe:** subscription and transaction-related information needed to manage billing and paid access.
- **Google Analytics:** aggregated and pseudonymous analytics information about website and app usage.

## How We Use Information

We use personal information for the following purposes:

- To create and manage user accounts.
- To provide the BrewNotes Service and its features.
- To store and display your tasting notes and related user content.
- To process and manage paid subscriptions through Stripe.
- To analyze usage, improve functionality, and better understand how users interact with the Service.
- To communicate with you about your account, subscriptions, support requests, updates, security issues, and administrative matters.
- To maintain the security, integrity, and availability of the Service.
- To detect, prevent, and address fraud, abuse, unauthorized access, or other harmful activity.
- To comply with legal obligations and enforce our terms, policies, and applicable agreements.

### Legal Bases for Processing Under GDPR
If you are in the European Economic Area, United Kingdom, or another jurisdiction with similar requirements, we process personal data under one or more of the following legal bases:

- **Contract:** to provide the Service you request, including account creation and subscription management.
- **Legitimate interests:** to secure, maintain, improve, and analyze our Service, provided those interests are not overridden by your rights.
- **Consent:** where required, such as for certain cookies or optional communications.
- **Legal obligation:** where processing is necessary to comply with applicable laws.

## Cookies and Tracking

We use cookies and similar technologies to operate and improve the Service.

These may include:
- **Essential cookies:** necessary for the website or app to function, such as authentication and security-related cookies.
- **Analytics cookies:** used to understand how users interact with the Service, including through Google Analytics.
- **Preference cookies:** used to remember settings or preferences, where applicable.

You can usually control cookies through your browser settings. Depending on your location, you may also be presented with a cookie banner or consent tool to manage non-essential cookies.

Google Analytics may collect information such as IP address, device information, and browsing behavior. You can learn more about how Google uses data here: [Insert Google Analytics Privacy Link].

## Third-Party Services

We use third-party service providers to operate the Service and support our business. These may include:

- **Google Analytics:** for website and app analytics.
- **Stripe:** for payment processing, subscription billing, and related transaction management.
- **Amazon Web Services (AWS):** for hosting, storage, and infrastructure. Our data is stored on AWS servers located in the United States.

These third parties may process personal information on our behalf or as independent controllers, depending on the service provided. Their handling of personal information is governed by their own privacy notices and contractual terms where applicable.

We encourage users to review the privacy policies of these third parties:
- Google: [Insert Google Privacy Policy Link]
- Stripe: [Insert Stripe Privacy Policy Link]
- AWS: [Insert AWS Privacy Link]

## Data Sharing

We do not sell personal information for money. We also do not share personal information for cross-context behavioral advertising unless otherwise stated in an updated policy.

We may share personal information in the following circumstances:

- **Service providers:** with vendors and processors who help us operate the Service, including hosting, analytics, payment processing, customer support, and security providers.
- **Legal compliance:** when required by law, subpoena, court order, or other lawful request.
- **Protection of rights:** where necessary to protect the rights, property, or safety of BrewNotes, our users, or others.
- **Business transfers:** in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar business transaction.
- **With your direction:** where you request or authorize us to share information.

For California residents, we disclose the categories of personal information described above for business purposes to service providers and contractors.

## Data Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Service, maintain business records, comply with legal obligations, resolve disputes, and enforce agreements.

Examples may include:
- **Account information:** retained while your account remains active and for a reasonable period afterward.
- **User content:** retained until you delete it, delete your account, or as otherwise needed for legitimate business or legal reasons.
- **Transaction and billing records:** retained as necessary for accounting, tax, fraud prevention, and legal compliance.
- **Analytics and technical logs:** retained for a limited period based on operational needs and applicable requirements.

Specific retention periods: [Insert Data Retention Schedule, if available].

## User Rights (GDPR/CCPA)

Depending on where you live, you may have privacy rights regarding your personal information.

### GDPR and Similar Jurisdictions
If GDPR or similar laws apply, you may have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate or incomplete data.
- Request deletion of your personal data.
- Object to or restrict certain processing.
- Request data portability.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with your local data protection authority.

### California Privacy Rights
If you are a California resident, you may have the right to:
- Know what personal information we collect, use, disclose, and retain.
- Request access to specific pieces of personal information.
- Request deletion of personal information, subject to exceptions.
- Request correction of inaccurate personal information.
- Know whether we sell or share personal information.
- Opt out of the sale or sharing of personal information, if applicable.
- Limit the use of sensitive personal information, if applicable.
- Not be discriminated against for exercising your privacy rights.

To exercise any of these rights, please contact us at **privacy@brewnotes.app**.

We may need to verify your identity before processing your request. You may also designate an authorized agent where permitted by law. California residents may also include “[CCPA Request]” in the subject line.

## Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13.

If you believe a child has provided personal information to us, please contact us at privacy@brewnotes.app. If we learn that we have collected personal information from a child in violation of applicable law, we will take steps to delete that information.

If a different minimum age applies in your jurisdiction, we will comply with applicable local law.

## International Transfers

BrewNotes is based in [Company Location], and we use service providers, including AWS, that store and process data in the United States.

Because we have users in the European Union and other regions, your personal information may be transferred to, stored in, and processed in countries other than your own, including the United States, where privacy laws may differ.

Where required by law, we take appropriate steps to safeguard international transfers, such as using contractual protections like Standard Contractual Clauses or relying on other approved legal mechanisms.

For more information about international transfers, contact us at privacy@brewnotes.app.

## Security

We use reasonable administrative, technical, and organizational measures to protect personal information against unauthorized access, loss, misuse, disclosure, alteration, and destruction.

However, no method of transmission over the internet or method of electronic storage is completely secure. As a result, we cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly of any unauthorized account activity.

## Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations.

When we make changes, we will update the **Effective Date** at the top of this policy. If required by law, we will provide additional notice or obtain consent.

Your continued use of the Service after any updated Privacy Policy becomes effective means you acknowledge

Gemini 2.5 Pro 3/10

Of course. Here is a privacy policy for BrewNotes, drafted according to your specifications.

***

# Privacy Policy for BrewNotes

**Effective Date:** [Effective Date]

This Privacy Policy describes how BrewNotes ("we," "us," or "our") collects, uses, and shares information about you when you use our web application at brewnotes.app (the "Service"). We are committed to protecting your privacy and handling your data in an open and transparent manner.

This policy is designed to comply with major privacy regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

## Introduction

Welcome to BrewNotes! Our mission is to provide a simple and enjoyable platform for coffee enthusiasts to log and remember their coffee tasting experiences. This policy explains what personal information we collect,

What makes these work

01

Name your third-party services explicitly
Generic phrases like 'we use analytics tools' produce generic output. Name Stripe, Google Analytics, Klaviyo, or whatever you actually use. AI models generate far more accurate and complete disclosures when they know the specific service, because they can reference that service's known data practices and required disclosures.
02

Specify your jurisdictions upfront
GDPR, CCPA, PIPEDA, and LGPD each require different clauses. If you tell the model which countries your users are in, it will include the right user rights sections and legal bases for processing. Leaving out jurisdiction is the single most common reason generated policies are non-compliant.
03

State your role as controller or processor
If your platform processes data on behalf of business clients (like a CRM or HR tool), you're a processor, not a controller. This distinction changes the entire structure of the policy. Most generators default to controller language, so you need to specify this explicitly in your prompt.
04

Request a version date and review reminder
Ask the model to include a 'Last updated' date field and a note that the policy should be reviewed annually or when data practices change. This habit keeps your policy from going stale after you add new integrations or change your data retention practices.

More example scenarios

#01 · SaaS tool with email login and Stripe payments

Input

Generate a privacy policy for a B2B SaaS project management tool called TaskFlow. We collect names, business email addresses, and payment information processed through Stripe. We use Google Analytics for usage tracking. Users are primarily in the US and EU. We do not sell user data. We store data on AWS servers in the US.

Expected output

A compliant privacy policy covering: data collected (name, email, payment info via Stripe), purpose of collection (account management, billing, service improvement), Google Analytics disclosure with opt-out link, AWS data storage location, GDPR rights for EU users (access, deletion, portability), CCPA disclosure for California users, data retention period, and a contact email for privacy requests.

#02 · Mobile fitness app collecting health data

Input

Write a privacy policy for a free iOS and Android app called StridePace that tracks running routes using GPS, records workout duration, and lets users log calories. We show ads via Google AdMob. Users must be 13 or older. We store data on Firebase. We are based in Canada.

Expected output

Privacy policy covering: GPS and health data collection with explicit purpose, Google AdMob third-party advertising disclosure including ad personalization, age restriction enforcement and COPPA compliance statement, Firebase data storage with Google's sub-processor relationship noted, Canadian PIPEDA compliance, user rights to delete account and associated data, and opt-out instructions for ad personalization.

#03 · E-commerce store using Shopify

Input

Create a privacy policy for a Shopify store called Bark & Brew that sells handmade dog treats. We collect shipping addresses, email addresses, and phone numbers. We use Shopify Payments and send marketing emails via Klaviyo. We ship only within the United States.

Expected output

Policy covering: personal data collected at checkout (name, address, phone, email), Shopify Payments as payment processor with PCI compliance note, Klaviyo email marketing with unsubscribe instructions, cookie usage for cart and session data, no international data transfer since US-only shipping, data retention tied to order history, and customer contact method for data deletion requests.

#04 · Content blog with newsletter and affiliate links

Input

Write a privacy policy for a personal finance blog called MoneyClarity. We collect email addresses for a free newsletter using ConvertKit. We use Google Analytics and display affiliate links to financial products. We are based in the UK and some readers are in the EU.

Expected output

Policy covering: email collection for newsletter via ConvertKit with consent language meeting GDPR standards, Google Analytics cookie disclosure with anonymized IP note, affiliate relationship disclosure explaining tracking cookies placed by affiliate networks, UK GDPR compliance including lawful basis for processing, right to unsubscribe and request data deletion, ICO registration mention if applicable, and cookie consent requirement for EU visitors.

#05 · HR platform handling employee data

Input

Generate a privacy policy for an HR software platform called PeopleDesk that processes employee personal data on behalf of business clients. We act as a data processor under GDPR. We collect employee names, job titles, salary data, and performance reviews. Clients control what data they upload. We are based in Germany and serve clients across the EU.

Expected output

Policy covering: controller versus processor distinction clearly stated, categories of employee data processed, purpose limitation tied to client instructions only, Data Processing Agreements (DPAs) offered to clients, EU data residency confirmed, subprocessor list disclosure, employee rights routed through the employer as data controller, breach notification timeline of 72 hours per GDPR Article 33, and contact details for the Data Protection Officer.

Common mistakes to avoid

Using the output without reading it
AI generators sometimes hallucinate specific legal requirements or include placeholder text that gets overlooked. Always read the full output before publishing. Look specifically for bracketed placeholders like [YOUR COMPANY NAME] or [INSERT EMAIL] that the model failed to fill in from your prompt.
Skipping industry-specific requirements
A generator will produce a usable general policy, but if you're in healthcare, fintech, or children's education, that general policy will miss mandatory clauses. HIPAA requires a separate Notice of Privacy Practices. COPPA requires verifiable parental consent mechanisms. Using a generic policy in these industries creates real legal exposure.
Not updating when you add new tools
Many people generate a policy at launch and never revisit it. The moment you add a new analytics tool, email platform, ad network, or payment processor, your policy is out of date. An outdated policy that doesn't disclose an active data practice is often worse than no policy at all under GDPR and CCPA enforcement.
Copying a competitor's policy instead
Some founders skip generators entirely and copy a competitor's privacy policy with minor edits. Beyond being copyright infringement, a competitor's policy reflects their specific data practices, not yours. It may disclaim practices you do engage in or claim practices you don't, both of which create liability if investigated.
Ignoring cookie consent separately
A privacy policy is not the same as a cookie consent banner. If you serve EU users, GDPR requires active opt-in consent for non-essential cookies before they're placed, which is a separate technical and legal requirement. Your privacy policy discloses cookie use, but it doesn't substitute for a functioning consent management platform.

Related queries

Frequently asked questions

Is an AI-generated privacy policy legally valid?

Yes, a privacy policy has no required format or authorship requirement. What matters is that it accurately reflects your data practices and includes the disclosures required by applicable law. An AI-generated policy that covers the right elements for your jurisdiction is just as valid as one written by a lawyer. The risk is in gaps and inaccuracies, not in the fact that AI wrote it.

What's the difference between a free privacy policy generator and a paid one?

Paid generators like Termly or iubenda typically offer ongoing hosting, automatic updates when laws change, cookie consent management, and multiple document types. Free AI generators give you a one-time document you copy, paste, and maintain yourself. For a simple site or early-stage startup, the free approach is fine. For a growing business with evolving data practices, the maintenance burden of a self-managed policy adds up.

Do I need a privacy policy if I don't collect any personal data?

Almost certainly yes, because you almost certainly do collect data. Google Analytics, Facebook Pixel, embedded YouTube videos, contact forms, and even server logs constitute data collection. Most websites that believe they collect nothing actually collect IP addresses and cookie data at minimum. App stores and advertising platforms also require a privacy policy URL regardless of what you collect.

Can I use a free privacy policy generator for a GDPR-compliant policy?

You can get a solid starting point, but GDPR compliance is more than having a policy. You need to identify lawful bases for each processing activity, maintain Records of Processing Activities (RoPA), have Data Processing Agreements with processors, and implement user rights workflows. A generator can produce the public-facing policy document, but it can't build the internal compliance program GDPR requires.

How often should I update my privacy policy?

Review it any time you add or remove a service that touches user data, change how you use data, enter a new market with different legal requirements, or when relevant privacy laws in your jurisdiction are updated. At minimum, do an annual review. Most platforms recommend notifying users of material changes via email or a prominent notice at least 30 days before the change takes effect.

Does my mobile app need a different privacy policy than my website?

Usually you can use one policy that covers both, but your app policy must address mobile-specific data types like device identifiers, push notification tokens, camera or microphone access, and precise GPS location if you use them. App store guidelines from Apple and Google also have specific disclosure requirements for certain data categories that you should check against your generated output before submitting your app.